EUVD-2026-21531CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Analysis
Remote code execution in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated teachers to upload PHP webshells through the exercise sound upload function by spoofing Content-Type headers to audio/mpeg. Uploaded malicious files retain their .php extensions and execute in web-accessible directories with web server privileges (www-data). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Chamilo LMS deployments and document current versions (1.11.x and 2.0.0 releases prior to RC.3). Within 7 days: Implement strict file upload restrictions on the exercise sound upload function by disabling PHP execution in upload directories via web server configuration (.htaccess or nginx rules) and restricting upload extensions to audio-only MIME types. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today